From theall at tenablesecurity.com Tue Feb 5 15:55:23 2008 From: theall at tenablesecurity.com (George A. Theall) Date: Tue, 5 Feb 2008 10:55:23 -0500 Subject: [VIM] Download Management for PHP-Fusion Multiple Local File Include Vulnerabilities Message-ID: Has anyone looked at Bugtraq 27618 yet? I haven't seen the original advisory, but going by what's in the BID, I'm not sure the issues are valid, but my track record's been pretty poor lately so you probably should do your own research. :-( - infusion.php starts by checking a couple of things, one of which is a define for "IN_FUSION". If that's not defined, it redirects to "../../index.php" and exits before reaching any code involving the supposedly-affected parameter. - download_management_admin.php starts off by including PHP-Fusion's maincore.php, and that has support for extracting GET / POST variables if register_globals is disabled. But after that, maincore.php queries its database and populates the 'settings' array, including 'settings[locale]', with the results. And I didn't find anywhere else that an attacker could regain control of the array variable. George -- theall at tenablesecurity.com From coley at linus.mitre.org Tue Feb 5 23:56:37 2008 From: coley at linus.mitre.org (Steven M. Christey) Date: Tue, 5 Feb 2008 18:56:37 -0500 (EST) Subject: [VIM] [Fwd: contactforms "cforms-css.php" Remote File Inclusion] In-Reply-To: <47A1E3A3.9040806@milw0rm.com> References: <47A1E3A3.9040806@milw0rm.com> Message-ID: > The only contactforms I can find with cforms-css.php is a wordpress > plugin. > > The script dies on its first line of code line 7 because function > load_plugin_textdomain could not be found. Same conclusion here - we assigned CVE-2008-0560 and disputed it, based on version 7.3 code. - Steve ====================================================== Name: CVE-2008-0560 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0560 Acknowledged: no Announced: 20080131 Flaw: php-include Reference: BUGTRAQ:20080131 contactforms "cforms-css.php" Remote File Inclusion Reference: URL:http://www.securityfocus.com/archive/1/archive/1/487347/100/0/threaded Reference: VIM:20080131 [Fwd: contactforms "cforms-css.php" Remote File Inclusion] Reference: URL:http://www.attrition.org/pipermail/vim/2008-January/001895.html ** DISPUTED ** PHP remote file inclusion vulnerability in cforms-css.php in Oliver Seidel cforms (contactforms), a Wordpress plugin, allows remote attackers to execute arbitrary PHP code via a URL in the tm parameter. NOTE: CVE disputes this issue for 7.3, since there is no tm parameter, and the code exits with a fatal error due to a call to an undefined function. Analysis: INCLUSION: Google searches for "contactforms" suggest that this is a distributable product; see http://www.deliciousdays.com/cforms-plugin ACCURACY: version 7.3, as downloaded from the vendor site on 20080204, does not appear to use the tm parameter, at least based on crude grep searches. In addition, the first line of cforms-css.php calls load_plugin_textdomain(), which is undefined, so cforms-css.php would exit with a fatal error. Earlier versions were not available. From coley at mitre.org Wed Feb 6 01:08:22 2008 From: coley at mitre.org (Steven M. Christey) Date: Tue, 5 Feb 2008 20:08:22 -0500 (EST) Subject: [VIM] Older RaidenHTTPD path traversal issue (CVE-2007-6453) fixed Message-ID: <200802060108.m1618MSB021295@faron.mitre.org> While handling the more recent XSS, I was looking at this page: http://www.raidenhttpd.com/jp/security.html and saw mention of "raidenhttpd-ulang-command-execution (39088)" which is an X-Force tagname, which is CVE-2007-6453. Looks like the page includes some other fixes, too, with help of a native Japanese speaker and/or an automated language translator. - Steve From theall at tenablesecurity.com Fri Feb 8 19:49:27 2008 From: theall at tenablesecurity.com (George A. Theall) Date: Fri, 8 Feb 2008 14:49:27 -0500 Subject: [VIM] Blackboard (id) Remote SQL Injection Message-ID: <984815EC-8CCB-4A0D-8A6B-6D7DB861C74D@tenablesecurity.com> Bugtraq 27696 was just added based on the following posting: http://www.securityfocus.com/archive/1/487781/30/0/threaded about a SQL injection vulnerability involving the 'forum_id' parameter of the 'philboard_forum.asp' script of something called Philboard. To me, this seems to be the same issue as Bugtraq 22532 / milw0rm 3295. What am I missing??? George -- theall at tenablesecurity.com From str0ke at milw0rm.com Fri Feb 8 20:05:43 2008 From: str0ke at milw0rm.com (str0ke) Date: Fri, 08 Feb 2008 14:05:43 -0600 Subject: [VIM] Blackboard (id) Remote SQL Injection In-Reply-To: <984815EC-8CCB-4A0D-8A6B-6D7DB861C74D@tenablesecurity.com> References: <984815EC-8CCB-4A0D-8A6B-6D7DB861C74D@tenablesecurity.com> Message-ID: <47ACB617.1050105@milw0rm.com> Its the same, I rejected it when he submitted it in. /str0ke George A. Theall wrote: > Bugtraq 27696 was just added based on the following posting: > > http://www.securityfocus.com/archive/1/487781/30/0/threaded > > about a SQL injection vulnerability involving the 'forum_id' parameter > of the 'philboard_forum.asp' script of something called Philboard. > > To me, this seems to be the same issue as Bugtraq 22532 / milw0rm > 3295. What am I missing??? > > George From theall at tenablesecurity.com Fri Feb 8 22:02:25 2008 From: theall at tenablesecurity.com (George A. Theall) Date: Fri, 8 Feb 2008 17:02:25 -0500 Subject: [VIM] Mambo Component com_gallery Remote SQL Injection Vulnerability Message-ID: <504E9B0A-55D1-47A5-996B-C567CF6B7A19@tenablesecurity.com> Anybody know what particular gallery component Milw0rm 5084 is about? It looks suspiciously like AkoGallery, already covered by milw0rm 5029, and the sites I turn up using the Googledork in 5084 seem to be using AkoGallery rather than the Menalto Gallery addon. George -- theall at tenablesecurity.com From str0ke at milw0rm.com Fri Feb 8 22:53:21 2008 From: str0ke at milw0rm.com (str0ke) Date: Fri, 08 Feb 2008 16:53:21 -0600 Subject: [VIM] Mambo Component com_gallery Remote SQL Injection Vulnerability In-Reply-To: <504E9B0A-55D1-47A5-996B-C567CF6B7A19@tenablesecurity.com> References: <504E9B0A-55D1-47A5-996B-C567CF6B7A19@tenablesecurity.com> Message-ID: <47ACDD61.6090902@milw0rm.com> I would of placed more information if I had it. Checking the sites it just states its Gallery without any version information. The gallery script can be found on these sites. http://andin-furniture.com http://mazandms.org http://irancodenews.ir http://akhoondian.com http://www.mehdi-fallah.com The .xml file will show the difference. Regards, /str0ke George A. Theall wrote: > Anybody know what particular gallery component Milw0rm 5084 is about? > It looks suspiciously like AkoGallery, already covered by milw0rm > 5029, and the sites I turn up using the Googledork in 5084 seem to be > using AkoGallery rather than the Menalto Gallery addon. > > > George From jericho at attrition.org Tue Feb 12 17:38:54 2008 From: jericho at attrition.org (security curmudgeon) Date: Tue, 12 Feb 2008 17:38:54 +0000 (UTC) Subject: [VIM] New Classification: Discovered In the Wild Message-ID: http://osvdb.org/blog/?p=227 New Classification: Discovered In the Wild February 12th, 2008 In a recent discussion on the security metrics mailing list, Pete Lindstrom put forth a rough formula to throw out a number of vulnerabilities that have been discovered versus undiscovered. One of the data points that he cited lead me to his page on undercover vulnerabilities, his term for 0-day in a certain context. Since the term 0-day has been perverted to mean many things, he clearly defines his term as: Undercover Vulnerability: A vulnerability that was generally unknown (e.g. not published on any lists, not discussed by above ground security folks) until it was actively exploited in the wild. The vulnerability was discovered through evidence of tampering or other means, not through the usual bugfinding ritual. In my reply challenging some of his numbers, I specifically said that if we consider that your number 20 is off by at least half, and I would personally guess its more like a small fraction, how does this change your numbers? Pete took this in stride and offered to buy me a case of beer if I could find half a dozen that he didnt have. Not one to pass up free booze and vulnerability research (yes, im weird) I spent several hours Friday doing just that. I ended up with 24 vulnerabilities that seemed to match his definition, roughly half of them in his time frame (in the last two years). Petes page got me wondering just how many vulnerabilities classified as undercover by his definition. Further, I thought about another question he asked on his page: I am open to suggestions on an easy way to do this with TypePad (TypeLists, maybe?). Else, Ill just periodically update as new vulns become available. I cornered our lead developer Dave and said "make it so" while I mailed Pete asking if OSVDB could help in this effort. As a result, we now have a new classification that we call Discovered In the Wild that means the same thing as Pete's undercover vulnerability. I have updated the 20 vulnerabilities listed on his page and added the flag to the ones I researched. This now shows 43 results which is good progress. Not content with that, I asked a fellow geek who has a world more experience with IDS, NOC management and various devices that would be prone to catching such vulnerabilities how many do you think were found this way last year, to which she replied "at least 50?". So vulnerability researchers and OSVDB contributors, its up to you to help out! We're looking for more instances of vulnerabilities being discovered "in the wild", being exploited and subsequently disclosed (to mail list, vendor, whatever). Please cite your source as best as possible. To see what we have so far: 1. http://osvdb.org/search/advsearch 2. Under Vulnerability Classification and Disclosure 3. Check Discovered in the Wild 4. Search Thanks to Pete Lindstrom and the Security Metrics mailing list for the input and great idea for a new classification! From coley at mitre.org Wed Feb 13 17:56:25 2008 From: coley at mitre.org (Steven M. Christey) Date: Wed, 13 Feb 2008 12:56:25 -0500 (EST) Subject: [VIM] site-specific or bad product name? SQL injection PKs Movie Database Message-ID: <200802131756.m1DHuP2Y016935@faron.mitre.org> Regarding the SQL injection in MILW0RM:5095 / http://www.milw0rm.com/exploits/5095 , one of our analysts found that it doesn't quite look like a real product, and/or is site-specific. Any ideas? The researcher's Dork query locates the warriordvds.com web site. The bottom of the page begins with "PKs Movie Database version 3.0.3 is licensed via ... PK-Designs.com." As of 20080212, the PK-Designs.com web site doesn't list a product named PKs Movie Database. The bottom of warriordvds.com also says "Powered by: Ant Movie Catalog." Ant Movie Catalog is a distributable product (www.antp.be/software/moviecatalog); however, it does not seem to be the product in question. First, it is implemented in Pascal and apparently does not make any use of PHP (there is no index.php). Second, the history page indicates that 3.1.0 came after 3.0.1; there was no 3.0.3. Third, it apparently does not make use of the parameters mentioned in the MILW0RM:5095 disclosure. Given that some uses of PKs Movie Database are "Powered by: Ant Movie Catalog," it seems likely that PKs Movie Database is a set of data about movies, not a product with its own executable files. Thus, perhaps the disclosure is actually about an unknown PHP application that also happens to use version 3.0.3 of the PKs Movie Database data. - Steve From coley at mitre.org Wed Feb 20 21:54:14 2008 From: coley at mitre.org (Steven M. Christey) Date: Wed, 20 Feb 2008 16:54:14 -0500 (EST) Subject: [VIM] Recipe theme SQL injection unlikely Message-ID: <200802202154.m1KLsEj5026263@faron.mitre.org> Researcher: S at BUN Ref: Wordpress Plugin (wp-content/recipe) SQL Injection http://www.securityfocus.com/archive/1/archive/1/488281/100/0/threaded BID thinks this is from: http://www.templatepanic.com/article/recipes-blog-wordpress-theme However, wordspew-rss.php doesn't exist in that distribution, and this was probably a cut-and-paste error from CVE-2008-0682, which was about Wordspew (and confirmed by the vendor by the way, see http://pierre.sudarovich.free.fr/index.php/2006/02/28/ajax-shoutbox/ In addition, the Google-dork points to live sites that use programs such as viewRecipe.php, which isn't in the TemplatePanic theme. Also, the TemplatePanic theme doesn't seem to use SQL, at least not directly. So, if there's an SQL injection in some recipe module somewhere, we don't know what module or program it is. - Steve From coley at mitre.org Thu Feb 21 18:04:41 2008 From: coley at mitre.org (Steven M. Christey) Date: Thu, 21 Feb 2008 13:04:41 -0500 (EST) Subject: [VIM] S@BUN posts Message-ID: <200802211804.m1LI4fOD028754@faron.mitre.org> FYI, for CVE, I'm de-prioritizing most disclosures by S at BUN. This means that our analysts try to stay away from these disclosures unless we're running out of new stuff to process. They often take too much time to research, even with the google-dork reference, just to figure out if CVE should include them, and they are sometimes too full of important errors or omissions. That said - str0ke, one of our analysts noticed that the posts that make it to milw0rm always seem to be for a likely-distributable product with at least some information. Do you have some rough process for handling S at BUN's posts? If you've already done some degree of verification, that might be enough for us to treat them with normal priority. What are others doing, if anything, about these? - Steve From str0ke at milw0rm.com Thu Feb 21 18:46:27 2008 From: str0ke at milw0rm.com (str0ke) Date: Thu, 21 Feb 2008 12:46:27 -0600 Subject: [VIM] S@BUN posts In-Reply-To: <200802211804.m1LI4fOD028754@faron.mitre.org> References: <200802211804.m1LI4fOD028754@faron.mitre.org> Message-ID: <47BDC703.6010703@milw0rm.com> Steven, The bugtraq submissions usually have 1-2 targets to test in the wild, usually with one working. Not much to go on so I don't post those up. The submissions hes sending into milw0rm usually have around 5-15 targets submitted with the vulnerability + others out in the wild. I can disclose vulnerable targets if it would help to figure out version / other information. I don't have the time currently to keep tracking version information with the amount hes submitting in. Maybe we can all help each other out :) The main problem is that im allowing his work in without version information and others will start following suit which will get even worse. Hes finding sql injections pretty quickly for widely used components/modules. Betting hes using an automated sql injection scanner in the wild mostly because of the dorks and lack of information on the product when chatting with him. /str0ke Steven M. Christey wrote: > FYI, for CVE, I'm de-prioritizing most disclosures by S at BUN. This > means that our analysts try to stay away from these disclosures unless > we're running out of new stuff to process. They often take too much > time to research, even with the google-dork reference, just to figure > out if CVE should include them, and they are sometimes too full of > important errors or omissions. > > That said - str0ke, one of our analysts noticed that the posts that > make it to milw0rm always seem to be for a likely-distributable > product with at least some information. Do you have some rough > process for handling S at BUN's posts? If you've already done some > degree of verification, that might be enough for us to treat them with > normal priority. > > What are others doing, if anything, about these? > > - Steve > > From coley at linus.mitre.org Thu Feb 21 19:18:12 2008 From: coley at linus.mitre.org (Steven M. Christey) Date: Thu, 21 Feb 2008 14:18:12 -0500 (EST) Subject: [VIM] S@BUN posts In-Reply-To: <47BDC703.6010703@milw0rm.com> References: <200802211804.m1LI4fOD028754@faron.mitre.org> <47BDC703.6010703@milw0rm.com> Message-ID: On Thu, 21 Feb 2008, str0ke wrote: > I can disclose vulnerable targets if it would help to figure out version > / other information. I don't have the time currently to keep tracking > version information with the amount hes submitting in. Maybe we can all > help each other out :) I'm not sure that listing vulnerable targets would be overly helpful, since we can get them with the right Google query anyway. Also, it would be more directly exposing those sites to the issues. > The main problem is that im allowing his work in without version > information and others will start following suit which will get even > worse. This is definitely a concern, but if researchers can't get through milw0rm then they'll go somewhere else, and the VDB's will follow them to whatever place they post to, so it's just moving the problem around. And there's always Full-Disclosure. > Hes finding sql injections pretty quickly for widely used > components/modules. Betting hes using an automated sql injection > scanner in the wild mostly because of the dorks and lack of information > on the product when chatting with him. If he's learning about these modules from specific sites, like some massive Joomla! component list somewhere, then it would be great to know what those sites are, since they probably have forward links to the developer's site. (This is what r0t was doing a couple years ago when he found hundreds of issues). It doesn't appear that S at BUN's using the standard (English-language) module repositories. But if S at BUN's just randomly crawling the web, we might be out of luck. Thanks! Steve From coley at mitre.org Tue Feb 26 21:01:58 2008 From: coley at mitre.org (Steven M. Christey) Date: Tue, 26 Feb 2008 16:01:58 -0500 (EST) Subject: [VIM] Novell client EnumPrinters overflow (CVE-2008-0639) download change Message-ID: <200802262101.m1QL1wu5011143@faron.mitre.org> FYI, I was notified by a Novell engineer that this URL for a patch download: http://download.novell.com/Download?buildid=SszG22IIugM~ was changed to: http://download.novell.com/Download?buildid=Ui5qNQgEmHE~ If there are other patch URLs for this issue, I don't know their status (for CVE we just use them when they prove that the vendor acknowledged the issue). - Steve